Claims 



1. A controlled multicast system, including an Ethernet switch and a multicast 
router, where the Ethernet switch connects with each host of a user in a downlink, 
connects with the multicast router in a uplink, the multicast router connects with a 
multicast router of other systems in the uplink, the Ethernet switch implementing 
multicast exchange of a layer 2, an IGMP V2 protocol is adopted as group 
management protocol between the Ethernet switch and the host of the user; wherein 
the controlled multicast system further comprises: a portal server and an AAA server 
that connect with the multicast router; the portal server acting as an interface of user 
access authentication, the AAA server being used for storing coiLGguration, of _ 
privilege for the user to join in a multicast group; the multicast router cooperating 
with the AAA server together to implement privilege authentication for the user to 
join in the multicast group, and distributing control commands according to results of 
the authentication to control multicast forwarding operations of the Ethernet switch. 

2. The controlled multicast system according to claim 1, a RADIUS+ protocol ~ 
extended from an AAA protocol is adopted as communication protocol between the 
multicast router and the AAA server; a group management protocol HGMP (Huawei 
Group Management Protocol) is used as a control protocol between the Ethernet 
switch and the multicast router. 

3. A method for implementing a controlled multicast, comprises: implementing 
access authentication first; then an Ethemet switch classifying a vlan according to a 
port and handling an IGMP message from a host, implementing user identification, 
authentication for joining in a multicast group, and a multicast router handling the 
IGMP message; in succession, the multicast router controlling the Ethemet switch for 
multicast forwarding, between vAnch a HGMP protocol is used as a control protocol ~ 
of the controlled multicast; after that, the Ethemet switch disposing a HGMP control 
message and forwarding a multicast flow; the host leaving the mxilticast group and 
making corresponding processes after finishing the forwarding operation. 

4. The method according to claim 3, wherein the step of implementing access 
authentication comprises. 
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(1) when accessing a network, the host inputting an authentication information 
that includes a User ID and a password first through an interface provided by a portal 
server, and a AAA server authenticating identification of the host with the information; . 
once the authentication is successful, the multicast router recording the User ID and a 
corresponding vlan ID of the host in a multicast access privilege table of the user; 

the step of the Ethemet switch classifying the vlan according to the port and 
handling the IGMP message from the host comprises, 

(2) classifying the vlan according to the ports, with one vlan for each port, and 
linking one port to one host; searching a Content- Addressable Memory (CAM) table 
with a destination MAC address of the IGMP message sent by the host and 
forwarding the said IGMP message, of which forwarding process is same with that of 
a imicast message: if the port corresponding to the destination MAC address is foxmd, 
forwarding the multicast message to the port, otherwise forwarding the multicast 
message to all the ports; 

the step of implementing user identification, authentication for joining in the 
multicast group, and handling the IGMP message by the multicast router comprises, 

(3) after receiving an IGMP Membership Report message, according to the vlan 
ID in the message, the multicast router finding the corresponding User ID and the 
host to which the IGMP Membership Report message belongs through searching in 
the multicast access privilege table of the user recorded in step (1), and then sending 
an extended RADIUS authentication message which includes the User ID just found 
as the user name and the address of multicast group in which the host wants to join as 
an attribute, to the AAA server for authentication; 

the AAA server determining whether to accept the user based on services of the 
user; if the user has the suitable privilege, responding with an acceptance message, 
otherwise returning a reject message; after receiving the reject message, the multicast 
router do nothing, but if receiving the acceptance message, the multicast router 
writing the address of the multicast group in which the user can join into the multicast 
access privilege table of the user, and implementing a routine disposal on. join . 
messages of the host, then generating and transmitting a HGMP Join message to the 
Ethemet switch, which comprises the vlan ID corresponding to the port that links with 
the host which wants to join in the multicast group, the address of the multicast group 
that is applied for, and a Join conunand field; moreover, the multicast router also 
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completing a routine processing of creating multicast forwarding tree on the IGMP 
Membership Report message just like an ordinary multicast router does; 

the step of the multicast router controlling the Ethernet switch making the 
multicast forwarding with the HGMP protocol being control protocol of the controlled 
multicast comprises, 

(4) managing generation and deletion of an entry in the CAM table at the 
Ethernet switch by the multicast router; while allowing the host to join in the 
multicast group, the multicast router sending the HGMP Join message that includes 
the vlan ID of the host which applies to join in the multicast group and the address of 
the multicast group applied for to the Ethemet switch; when the multicast router wants 
to terminate the host joining in the multicast group, the multicast router transmitting a 
HGMP Leave message which comprises the vlan ID of the host which leaves the 
multicast group and the address of the multicast group where the host leaves; 

the step of the Ethemet switch disposing the HGMP control message comprises, 

(5) after receiving the HGMP Join message, the Ethemet switch searching the 
CAM table with the MAC address corresponding to the address of the multicast group; 
if the entry corresponding with the address is foimd, the Ethemet switch obtaining the 
port nimiber of the host via searching in the CAM table with the vlan ID in the HGMP 
Join message, and then adding the port number into the said entry; if nothing is found, 
adding an entry in the CAM table, which comprises the MAC address corresponding 
to the multicast address, the port number of the host which applies to join in the ~ 
multicast group, and the port number of the multicast router connected with the 
Ethemet switch; 

after receiving the HGMP Leave message, the Ethemet switch obtaining the 
entry through looking up the CAM table with the MAC address corresponding to the 
multicast address of the multicast group, and getting the port number of the host 
through searching with the vlan ID, and then deleting the said port nvimber from the 
said entry, if the said port number is the solely port of the said entry, deleting the 
whole entry; 

the step of forwarding of the multicast flow comprises, 

(6) when receiving the multicast flow sent from the multicast source,. , the _ 
multicast router forwarding the multicast flow to an egress based on a CAM table; 
when handling the IGMP Membership Report message of the host, the multicast 



18 



router creating a multicast forwarding egress according to the real port of the Ethernet 
switch, and sending only one copy of the multicast flow to the Ethernet switch; 
the step of the host leaving the multicast group comprises, 

(7) after finishing the multicast and wanting to leave the multicast group , the 
host sending an IGMP Leave message; after receiving the IGMP Leave message, the 
multicast router extracting the vlan ID from the message, and obtaining corresponding 
entry via searching in the multicast access privilege table created in step (1) with the 
vlan ID, then deleting the address of the multicast group indicated by the IGMP Leave 
message in the entry; after completing a routine disposal on leave messages, the 
multicast router generating the HGMP Leave message and sending to the Ethernet 
switch, which includes the vlan ID of the host which wants to leave group, the address 
of multicast group where the host wants to leave and a Leave command field. 

5. The method according to claim 3, wherein the CAM table and the imicast 
forwarding table of the Ethernet switch are shared. 

6. The method according to claim 3, wherein, during the messages forwarding, 
adopting a vlan protocol between the port of the multicast router and the Ethernet 
switch. 

7. The method according to claim 3, in step (6) there is no vlan ID in a multicast 
data packet of the multicast flow sent from the multicast router. 

8. The method according to claim 3, in step (7) of leaving from the multicast 
group can also be implemented via following means which comprises, once^ the 
multicast router knows offline status of the user, the multicast router actively sending 
the HGMP Leave message to terminate multicast flow transmission to the host, which 
is same with that of processing on the IGMP Leave message. 

9. The method according to claim 3, fiirther comprises controlling the multicast 
sender, which includes when the host transmits data to the multicast group, the first 
receiver among the multicast routers filtering the data message with a multicast 
Access Control List (ACL), and forwarding the data message that satisfies the 
requirements in the ACL to the multicast tree. 

10. The method according to claim 9, wherein the multicast ACL comprises a 
command word, a source address and a group address. 
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1 1 . The method according to claun 9, wherein the multicast ACL is distributed to 
each muhicast router by a centralized muUicast service control server; the step of 
controlling the sender is accomplished with the multicast ACL by the multicast router, 
meanwhile the multicast service control server is also acts as the AAA server. 

12. The method according to claim 9, wherein the multicast ACL can also be 
distributed by a centralized policy server or a network manager. 
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